Applies to:
- Platform: Risk Assessment Platform
- User Roles: Super Admin, Company Admin, Users with permissions
This feature allows Company Admin users to configure these company-wide settings:
- Authentication - configure and enable/disable Single Sign-On.
- Workflow - enable/disable reopening risk factors when their mapped controls' rating changes.
View Company Settings
Users with appropriate permissions can access this page from Settings > Company Settings.
Workflow - Risk Factor Reopen
This feature allows control over the reopening of risk factors when their mapped control's rating changes. This setting is company-wide.
By default, the platform will reopen risk factors when the rating of their mapped controls changes. When risk factors are automatically reopened this way, their status is changed to Awaiting Submit and sent to the Assignee defined on the risk factor.
To stop the automatic reopening of risk factors, select "Do not reopen".
Authentication Management
This feature allows the configuration of an alternative to the application's user authentication method at the company level.
For users on the Arctic Intelligence cloud instance: Configure Single Sign-On (SSO) authentication.
For users of locally installed instances (on-prem) of the platform:
- When SSO is the default authentication, this feature allows the configuration of application authentication (email and password stored in the application) at the company level.
- When application authentication (email and password) is the default authentication, this feature allows the configuration of SSO authentication at the company level.
To configure the Authentication settings, you must have the Company Admin role or another role with the Configure Company Authentication permission. Learn more about Application Role Management.
The login URL for an account with SSO authentication contains an account-specific prefix. For example, the standard login URL https://app.risk-platform.com becomes https://mycompany.risk-platform.com.
This topic contains:
- Configuring Authentication for SSO at the Company Level
- Removing or Disabling SSO Authentication
- Common Mistakes and Solutions
Configuring Authentication for SSO at the Company Level
These instructions are for Company Admins configuring SSO on the Arctic Intelligence Cloud instance.
Complete the technical requirements before configuring SSO in the Risk Assessment platform.
Technical Requirements
Microsoft Azure Active Directory OpenID is supported.
The login account email (username) must match the Azure Active Directory (AAD) account username. If it does not match, attempting to login will fail after enabling SSO in the platform.
Important! Users will not be able to log in after SSO is enabled if the usernames do not match.
Define AAD Application Registration and Authentication
- Navigate to Azure > Azure Active Directory > App Registrations > New Registration
- Complete the details as follows
- Enter a name for the application, as shown
- Select an account type
- Enter the platform URL into Redirect URI, replacing "app" with a vanity URL prefix.
Example: https://mycompany.risk-platform.com or https://mycomp.risk-platform.com
Hint: Keep the prefix short; ideally, use an abbreviation if the company name is long.
- Once registered, you will be redirected to the app registration configuration page.
- Navigate to Authentication > Web and populate the Web Redirect URIs as shown below, making sure to replace "app" with the vanity URL prefix used in step 2 above. For example:
- https://mycompany.risk-platform.com
- https://mycompany.risk-platform.com/silent-renew.html
- https://mycompany.risk-platform.com/test.html
- Navigate to Authentication and scroll down to Implicit Grant and Hybrid Flows. Enable the ID Tokens setting and press Save.
- Navigate to Expose an API > Scopes Defined by this API > Add a Scope. Accept the default Application ID URI and press Continue.
- Complete the fields as shown below, substituting appropriate values:
Collect AAD Data for Risk Assessment Authentication Settings
- Navigate to App Registration > Overview and note the Application (client) ID.
- Navigate to App Registration > Overview > Endpoints. Make a note of the OAuth 2.0 authorisation endpoint (v2).
Configuring Authentication in the Risk Assessment Platform
Before configuring the Authentication page settings, you must complete the technical requirements. Failure to do this will cause the IDP to fail to recognise the access request and prevent login.
The login account email (username) must match the Azure Active Directory (AAD) account username. If it does not match, attempting to login will fail after enabling SSO in the platform.
Important! Users will not be able to log in after SSO is enabled if the usernames do not match.
- Log into Risk Assessment with a login that has Company Admin permissions.
- Use the Settings button () and select Authentication from the menu.
- Press the Configure button to add or edit the authentication details.
- Configure each of the settings as described below:
- Method - defaults to Single Sign-On (OpenID)
- Copy from - use this field to copy authentication settings from another of your companies; otherwise, leave blank.
- Vanity URL Prefix - enter the vanity URL prefix (refer to Define AAD Step 2 and Step 4). For example, enter "mycompany" to use the login URL https://mycompany.risk-platform.com.
The account-specific URL prompts the platform to check the defined authentication details. - Authority URL - enter the Authority URL from Collect AAD Step 2, remembering to remove the parts noted in red.
Example: If the URL in AAD is:
https://login.microsoftonline.com/8ae297a6-f158-49ee-ab86-9a1883bdc4b6/oauth2/v2.0/authorize
The Authority URL would be:
https://login.microsoftonline.com/8ae297a6-f158-49ee-ab86-9a1883bdc4b6/v2.0 - Client ID - enter the Application (client) ID from Collect AAD Step 1.
- Press the Save button only after you are sure all details are correct.
You will be immediately logged out of the application and need to log in with valid authentication credentials per the settings you defined on this page.
Note: If the authentication settings are incorrect, you will not be able to log back in without assistance. Should this happen, contact us at support@arctic-inteligence.com or use the Support button in the lower left of the login page.
Removing or Disabling SSO Authentication
Press the Delete () button in the upper right to delete the configured authentication settings.
To temporarily disable the configured authentication, press the toggle at the far right of the page.
Users must log in with the email and password stored on the platform.
Common Mistakes and Solutions
New user login fails with "You are not a registered user"
Problem: When a new user attempts to log in, they receive the error "You are not a registered user. Please contact us to create an account.
Cause 1: The user is logged onto their network with an email address that does not match the email address defined on their user account in RAP.
Solution 1: The user should open a browser in incognito mode and then go to the RAP login page. When prompted, log onto the network using the same email address defined on their user account in RAP.
Cause 2: The user is not in a group assigned to the application in Azure.
Solution 2: When the application is defined in Azure, a group is generally assigned to it, and users are added to the group. Alternatively, the users could be added directly, or ‘everyone’ is provided access.
This is found in Azure AD > Enterprise applications > [app name] > Users and Group.
Confirm the user is a direct member or group member, and the primary email address matches that defined on their user account in RAP.
Comments
0 comments
Please sign in to leave a comment.